Why doesnt strip_tags() seem to work?

Anon

I have a website that people can post info on, and I was using strip_tags($string) before inserting my records in the database. The html was still getting through, and my website was defaced by someone sticking in img tags that pointed to some very disturbing pornography. Is there a better way to strip html out of form entry? I added perl reg ex to delete everything between < and > ... are there any good functions or libraries for form input validation? strip_tags() should have been able to catch this, but it didnt stop any of it...

Anon

There is a function (html_encode() I believe, but I'm not sure) which will replace any html-interpreted characters with their ampersand codes. So all < symbols would be replaced by < etc., and you could print the resulting string and have it be displayed exactly as the text was entered.

-Keegan

Anon

What version of PHP are you running? And can you show a bit of the actual code? I've never seen strip_tags() to fail myself...

Anon

I am using 4.03pl1, and I do this:

strip_tags($string);

maybe I should try doing:

$string = strip_tags($string);

-?-

Anon

I was about to say that but i think you caught it...

strip_tags returns the string with tags stripped, not stripping the referenced string...

--harlan

Anon

That's exactly what you have to do: hopefully the manual page makes it clear that strip_tags() transforms a copy of the argument and returns that, leaving the original string unmolested.